The European Union’s Global Data Protection Regulation (GDPR) took effect on May 25, 2018, and drastically expanded the compliance obligations of companies involved in the collection, use, and management of any European Union citizens’ data. The GDPR imposes a strict regulatory scheme with steep penalties for non-compliance, with maximum fines set at the greater of 20 million Euros or 4% of a company’s annual worldwide revenue. GDPR Art. 83, § 5. Please refer to Perkins Coie’s GDPR Resources for a more comprehensive overview.
Companies should look critically at their insurance coverage to ensure their cyber policies provide adequate coverage in the event of an action under the GDPR. Below we identify general concepts that should be assessed when reviewing cyber policies for GDPR coverage. Because every insurance policy is unique (especially with respect to cyber coverage), this list is not meant to be exhaustive, but instead to provide a conceptual framework for a review of your company’s coverage.
- Definition of Personal Information: The GDPR regulates “personal data” which is defined broadly to include “any information [directly or indirectly] relating to an identified or identifiable natural person[.]” GDPR Art. 4, § 1. The definition of “personal information” (sometimes referred to as “personally identifiable information” or “private information”) in your cyber policy should be as broad as possible to ensure that there are no gaps between potential actions under the GDPR and what is covered by your policy.
- Coverage for privacy law violations: Cyber policies typically provide coverage for costs arising from a cyber breach. With the passage of the GDPR, however, mere wrongful collection or storage of an individual’s information is a violation of the law and can be the basis for a regulatory investigation and proceeding. Confirm that your company’s cyber policy provides coverage for violations of privacy laws, regardless of whether a breach is involved. Check to ensure your policy does not contain any exclusions for claims arising from activities regulated by the GDPR. Further, ensure that regulatory actions covered by your policy can be instituted by “any” governmental entity or by “any international” governmental entity — coverage that is restricted to actions brought by U.S. governmental or state entities will not provide coverage for GDPR violations.
- Coverage for fines and penalties: Many cyber policies provide coverage for fines and penalties arising from privacy breaches, including violations relating to a company’s non-compliance with privacy breach notification laws. Because the GDPR imposes fines on companies for non-privacy breach activities, including the improper collection and storage of data, it is important that your cyber policy’s scope of regulatory damages be expansive. Check your policy to ensure that regulatory coverage is broad and applies to any violation of a privacy law or regulation.
- Most favored nations clause: The insurability of fines and penalties varies based on jurisdiction. Your cyber policy should have language to ensure any fines and penalties are covered to the fullest extent permissible under the law of the most favorable jurisdiction, otherwise known as a “most favored nations” clause.
- Cyber Limits: The GDPR permits onerous fines for violations. Be sure to take a close look at your cyber coverage limits in light of potential for increased fines under the GDPR. Many cyber policies have sublimits for regulatory fines and penalties — ensure that any sublimited coverage is adequate with respect to your company’s needs.
Finally, be critical of any endorsements purporting to add GDPR coverage to your cyber policy. Some carriers have attempted to address issues with GDPR coverage by including an endorsement to cyber policies that simply includes coverage for claims arising out of the GDPR regulations, subject to the terms and conditions of the policy. These endorsements do not address the issues set forth above and often leave policyholders without coverage for the vast majority of GDPR violations.
Conducting a careful analysis of your cyber coverage will prove invaluable in the event of a GDPR violation. As cyber claims arising from the GDPR begin to roll in, new issues will invariably arise from a coverage perspective. Continuing to monitor developments in GDPR trends and coverage issues is vital to ensure that your company is adequately protected.